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Abstract 


Hybrid  dynamic  systems  include  both  continuous  and  discrete  state  variables.  Prop¬ 
erties  of  hybrid  systems,  which  have  an  infinite  state  space,  can  often  be  verified  us¬ 
ing  ordinary  model  checking  together  with  a  finite-state  abstraction.  Model  checking 
can  be  inconclusive,  however,  in  which  case  the  abstraction  must  be  refined.  This 
paper  presents  a  new  procedure  to  perform  this  refinement  operation  for  abstractions 
of  hybrid  systems.  Following  an  approach  originally  developed  for  finite-state  sys¬ 
tems  [1,  2],  the  refinement  procedure  constructs  a  new  abstraction  that  eliminates  a 
counterexample  generated  by  the  model  checker.  For  hybrid  systems,  analysis  of  the 
counterexample  requires  the  computation  of  sets  of  reachable  states  in  the  continuous 
state  space.  We  show  how  such  reachability  computations  with  varying  degrees  of  com¬ 
plexity  can  be  used  to  refine  hybrid  system  abstractions  efficiently.  Examples  illustrate 
our  counterexample-guided  refinement  procedure  and  experimental  results  for  a  pro¬ 
totype  implementation  of  the  procedure  indicate  significant  advantages  over  existing 
methods. 


Keywords:  Formal  Verification,  Abstraction,  Model  Checking,  Hybrid  Systems, 
Refinement,  Counterexamples 


1  Introduction 


Hybrid  systems  are  formal  models  that  include  both  continuous  and  discrete  state  vari¬ 
ables.  With  the  increasing  use  of  hybrid  systems  to  design  embedded  controllers 
for  complex  systems  such  as  manufacturing  processes,  automobiles,  and  transporta¬ 
tion  networks,  there  is  an  urgent  need  for  more  powerful  analysis  tools,  especially 
for  safety  critical  applications.  Tools  developed  so  far  for  the  automated  analysis  of 
hybrid  systems  are  restricted  to  low-dimensional  continuous  dynamics  [3],  The  rea¬ 
son  for  this  limitation  is  the  difficulty  of  representing  and  computing  sets  of  reachable 
states  for  continuous  dynamic  systems.  Recent  publications  have  proposed  two  gen¬ 
eral  approaches  to  deal  with  the  complexity  of  hybrid  system  analysis,  namely  modular 
analysis  (e.g.,  [4,  5])  and  abstraction  (e.g.,  [6,  7,  8]).  This  paper  focuses  on  the  latter 
approach. 

Abstraction  maps  a  given  model  into  a  less  complex  model  that  retains  the  behav¬ 
iors  of  interest  [6].  In  the  context  of  hybrid  system  verification,  abstraction  transforms 
the  inherently  infinite  state  system  into  a  finite-state  model  [7,  8].  Existing  tools  of¬ 
ten  do  not  take  into  account  the  specification  itself  when  building  an  abstract  model. 
Rather,  an  abstract  representation  is  constructed  for  the  entire  hybrid  system  using  a 
degree  of  detail  which  seems  to  be  appropriate.  If  the  abstraction  is  not  suitable  to 
analyze  the  property,  then  the  abstract  model  is  globally  refined  [9]. 

As  an  alternative,  we  suggest  a  procedure  that  (a)  starts  from  a  coarse  abstract 
model  and  a  safety  property,  (b)  identifies  parts  of  the  hybrid  system  which  potentially 
violate  the  property,  and  (c)  iteratively  refines  the  abstract  model  until  verification  re¬ 
veals  whether  or  not  the  property  in  question  is  satisfied.  A  framework  that  follows 
this  general  scheme  of  abstraction,  refinement,  and  analysis,  is  counterexample-guided 
abstraction  refinement  (CEGAR)  [1,  10,  2]:  For  a  given  system  the  initial  abstraction 
leads  to  a  conservative  model  that  is  guaranteed  to  include  all  behaviors  of  the  orig¬ 
inal  system.  Model  checking  is  then  applied  to  the  abstract  model.  If  the  property 
is  violated,  the  model  checker  produces  a  counterexample  as  an  execution  path  of  the 
abstract  model  for  which  the  property  is  not  true.  If  this  counterexample  corresponds 
to  a  genuine  behavior  of  the  original  system,  then  the  property  does  not  hold  for  the 
original  system.  Otherwise,  the  information  provided  by  the  counterexample  is  then 
used  to  refine  the  abstract  model,  i.e.,  some  detail  is  added  to  the  abstract  model  in  or¬ 
der  to  obtain  a  more  accurate,  yet  conservative,  representation  of  the  original  model.  In 
particular,  the  refined  model  is  constructed  so  as  to  exclude  the  spurious  counterexam¬ 
ple.  The  procedure  of  alternating  between  model  checking  and  refinement  is  continued 
until  the  property  is  confirmed  or  refuted. 

This  procedure  has  recently  been  applied  successfully  to  finite-state  systems  in  a 
variety  of  areas,  and  in  particular  in  the  verification  of  digital  circuits  [1,  10].  Earlier 
work  based  on  the  use  of  counterexamples  includes  the  localization  reduction  in  the 
context  of  concurrent  systems  [2],  and  recent  work  has  seen  the  application  of  the 
technique  to  the  verification  of  C  programs  [11,  12]. 

This  paper  extends  counterexample-guided  model  refinement  to  hybrid  systems, 
which  include  both  continuous  and  discrete  state  variables  and  thus  have  an  infinite 
state  space.  We  provide  effective  means  of  coping  with  the  difficulties  of  computing 
reachable  sets  for  hybrid  systems.  In  particular,  we  employ  reachable  set  computations 
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with  varying  degrees  of  accuracy  to  refine  hybrid  system  abstractions  efficiently.  This 
flexibility  cannot  easily  be  achieved  with  other  verification  tools  for  hybrid  systems. 

The  paper  is  structured  as  follows.  Section  2  presents  preliminaries  on  abstraction 
and  counterexample-guided  refinement.  In  Section  3  we  describe  the  CEGAR  verifi¬ 
cation  approach  that  refines  abstract  models  based  on  counterexamples.  We  introduce 
hybrid  systems  in  Section  4,  and  apply  CEGAR  to  hybrid  systems  in  Section  5.  Section 
6  summarizes  the  contributions  of  this  paper. 

2  Preliminaries 

We  introduce  the  notions  of  abstraction  and  counterexample-guided  refinement  for  gen¬ 
eral  transition  systems,  defined  as  follows: 

Definition  1  Transition  System.  A  transition  system  is  a  triple  TS  =  ( S ,  So,  E)  with  a 
(possibly  infinite)  state  set  S,  an  initial  set  So  C  S,  and  a  set  of  transitions  E  C  SxS.o 

A  path  of  a  transition  system  is  a  finite  sequence  (so,  Si,  •  •  ■  ,  sm )  with  so  £  So, 
each  Si  £  S,  and  each  pair  of  successive  states  (si,  Sj+i)  £  E. 

Given  two  transition  systems  A  and  C,  A  is  said  to  be  an  abstract  model  of  C  if  the 
following  relation  can  be  established. 

Definition  2  Abstraction.  A  transition  system  A  =  (S,  So,  E)  with  a  finite  set  of  states 
S  is  an  abstract  model  of  a  transition  system  C  =  (S,  So,  E),  denoted  A  >  C,  if  there 
exists  an  abstraction  function  a  :  S  — >  S  such  that: 

•  the  initial  set  is  So  =  cc(So)  =  {so  I  3s0  £  So  '■  §o  =  a(so)}-  and 

•  ED  a(E)  =  {(si,  s2)  I  3sus2  £  S  :  (s1,s2)  £  E,s1  =  a(si),s2  =  a(s2)}.o 

Note:  In  general,  it  is  possible — and  sometimes  desirable — to  consider  an  abstraction 
relation  a  rather  than  a  mere  abstraction  function.  The  work  presented  here  can  easily 
be  adapted  to  this  more  general  case,  however  for  simplicity  we  shall  stick  to  the  above 
definition. 

Sometimes  the  term  simulation  is  used  in  the  literature  to  describe  the  abstraction 
relation.  In  contrast  to  the  definitions  of  abstraction  in  [1,  10],  Defn.  2  allows  A  to 
include  spurious  transitions ,  i.e.,  the  set  E  may  contain  elements  that  do  not  correspond 
to  transitions  in  C.  Spurious  transitions  arise  in  the  construction  of  abstractions  of 
hybrid  systems  because  in  most  cases  sets  of  reachable  states  for  continuous  systems 
cannot  be  represented  and  computed  exactly  [9]. 

Abstract  models  will  be  used  to  analyze  properties  of  a  given  transition  system. 
Throughout  the  paper,  we  will  the  given  system  C  the  concrete  system. 

In  order  to  construct  a  more  detailed  model  from  a  given  abstract  model,  we  define 
the  following  concept  of  model  refinement. 

Definition  3  Refinement  of  Abstract  Models.  Given  a  concrete  system  C  =  (.S'.  So,  E) 
and  an  abstract  model  A  =  (S,  So,E)  such  that  C  f  A,  with  abstraction  function 
a  :  S  — >  S,  a  model  A!  =  (S' ,  S'0,  E')  is  called  a  refined  abstract  model  of  C  with 
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respect  to  A  if  there  are  two  abstraction  functions  a'  :  S  — >  S'  and  a"  :  S'  — >  S,  i.e., 
if  C  A  A!  <  A.  o 

Properties  (or  specifications)  are  verified  for  the  concrete  model  C  using  an  abstract 
model  A.  In  this  paper  we  consider  the  verification  of  safety  properties,  defined  as 
follows. 

Definition  4  Safety.  Given  a  transition  system  TS  =  (S,  So,  E),  let  the  set  B  C  S \ S<> 
specify  a  set  of  bad  states.  We  say  that  TS  is  safe  with  respect  to  B,  denoted  by 
TS  |=  AG-B  iff  there  is  no  path  in  the  transition  system  from  an  initial  state  in  So  to 
a  bad  state  in  B.  Otherwise  we  say  TS  is  unsafe ,  denoted  by  TS  \fi  AG- IT  o 

Definition  5  Counterexamples.  Apath  a  =  (so,  Si,  •  •  •  ,  sm)  of  TS  =  ( S ,  So,  E)  with 
sm  £  B  is  called  a  counterexample  of  TS  with  respect  to  the  safety  property  TS  |= 
AG ~^B.  Given  a  concrete  transition  system  C,  an  abstract  transition  system  A,  and 
a  counterexample  a  in  C,  we  say  that  a  =  (so,  Si,  §2,  ■  ■  ■  ,  sm )  is  the  corresponding 
abstract  counterexample  of  the  abstract  system  A ,  if  s,  =  a(s,)  holds  for  all  i  £ 
{0, . . .  ,  to}.  Given  a  counterexample  <7  of  A,  a  is  called  a  corresponding  concrete 
counterexample  if  for  all  i,  §i  =  a(s-i )  and  (sj,Si+i)  £  E.  If  a  counterexample 
(7  of  A  has  no  corresponding  concrete  counterexample  for  C,  <7  is  called  a  spurious 
counterexample.  O 

Lemma  1  Given  a  concrete  model  C  =  (S.  Sq,  IT),  and  an  abstract  model  A  = 
(S,  So,  E)  of  C  with  an  abstraction  function  a,  let  B  C  S  \  So ,  and  choose  B  C  S 
such  that  B  D  oc(B)  =  {b\3b£B:  b  =  a(6)}.  If  A  |=  AG  ~^B,  then  C  |=  AG  ~^B. 

□ 

If  A  \=  AG-B  can  be  verified,  it  can  immediately  be  concluded  from  Lemma  1 
(i.e.,  without  applying  verification  to  the  concrete  system  C )  that  C  |=  AG-B.  On  the 
other  hand,  the  converse  of  Lemma  1  with  respect  to  the  AG-property  does  not  hold. 
If  the  verification  of  A  reveals  A  AG- If  then  we  cannot  conclude  that  C  is  not 
safe  with  respect  to  B,  since  the  counterexample  for  A  may  be  spurious.  We  call  a 
method  that  checks  whether  or  not  a  counterexample  is  spurious  a  validation  method. 
If  the  validation  method  discovers  that  the  counterexample  is  spurious,  then  the  coun¬ 
terexample  is  used  to  refine  A.  We  now  introduce  a  scheme  for  counterexample- guided 
abstraction  refinement  ( CEGAR)  to  verify  safety  properties  for  a  given  concrete  model. 
The  basic  principle  is  to  repeat  the  following  sequence  of  steps  until  the  property  is 
verified  or  refuted  [1],  The  starting  point  is  a  concrete  model  C  and  an  abstract  model 
A  (we  propose  in  Sec.  5.1  a  specific  way  to  obtain  an  initial  abstract  model  for  hybrid 
systems).  The  first  step  is  then  to  analyze  A  |=  AG-B  by  model  checking.  If  this 
property  holds  it  can  immediately  be  concluded  from  Lemma  1  that  C  is  safe,  too. 
Otherwise  a  counterexample  is  obtained,  and  we  must  verify  whether  it  has  a  corre¬ 
sponding  real  counterexample  in  C.  If  so,  then  the  safety  property  does  not  hold  for 
C.  Otherwise,  i.e.,  when  the  counterexample  is  spurious,  the  counterexample  is  used 
to  refine  the  model  A.  That  is,  a  new  and  more  detailed  model  A'  with  C  A  A'  <  A  is 
produced,  which  excludes  the  spurious  counterexample. 


3 


The  procedure  of  model  checking,  validation  of  the  counterexample,  and  refine¬ 
ment  of  the  abstract  model  is  repeated  until  the  safety  property  is  proved  or  refuted  for 
C.  The  pseudo-code  in  Fig.  1  summarizes  this  procedure: 

ALGORITHM:  Counterexample-Guided  Abstraction  Refinement:  Cegar 
INPUT:  Concrete  model  C  and  a  set  of  bad  states  B 
OUTPUT:  B  is  (or  is  not)  reachable 

Generate  initial  abstract  model  A  (bad  states  are  called  B) 

Generate  counterexample  a  (if  one  exists)  by  model  checking  A  wrt  B 
WHILE  a  exists  DO 

Validation  of  a 

IF  1 7  validated  THEN  terminate  with  “B  reachable” 

ELSE 

Generate  refined  model  A'  using  counterexample  a 
A  :=  A! 

Generate  next  a  by  model  checking  A  wrt  B 

ENDIF 

ENDDO 

Terminate  with  “B  not  reachable” 

Figure  1:  Cegar:  Scheme  for  verifying/falsifying  C  |=  AG-  B  based  on 
counterexample-guided  abstraction  refinement 

The  crucial  steps  in  the  CEGAR  procedure  are  model  checking,  validation,  and 
refinement.  With  respect  to  model  checking,  standard  algorithms  for  .46' -prop cities 
can  be  used  [  13], 

For  validating  a  counterexample,  the  important  ingredient  is  the  computation  of 
successors  of  states.  We  define  an  operator  succ  that  determines  the  successor  states 
from  a  given  set  S  C  S  by  succ(S)  =  {s  £  S  |  3s  €  S  :  (s,  s)  €  E}.  This  set  may 
not  be  exactly  computable  for  a  given  concrete  model  C,  i.e.  only  over-approximations 
succ(S)  D  succ(S)  may  be  available.  We  first  assume  that  succ(S)  is  computable. 

A  counterexample  <j  =  (so, . . .  ,  sm)  of  A  is  then  validated  as  follows:  Let  Sk  = 
a-1(sfc),  k  €  {0, . . .  ,  to}  denote  the  sets  of  concrete  states  corresponding  to  an  ele¬ 
ment  of  d\  The  reachable  parts  of  these  sets  are  recursively  defined  by  Sl}each  :=  So, 
greach  SUCc{S'jfifi<[h)  D  Sk,  k  €  {1, . . .  ,  to}.  The  counterexample  is  spurious  iff 
greach  _  0  fQr  at  jeast  one  ^  ancj  we  say  tjle  counterexample  is  refuted.  Otherwise,  the 
counterexample  is  validated,  and  B  is  reachable. 

If  the  counterexample  is  refuted  with  SJfach  =  0,  the  model  A  is  refined  into  a 
new  finite  abstract  model  A'  =  (S' ,  Sf  E')  (cf.  Defn.  3).  The  refined  model  should 
take  into  account  that  there  are  no  concrete  transitions  from  states  in  to  states 

in  Sk ■  We  therefore  require  that  the  set  E'  of  A'  not  contain  transitions  in  the  set 
{(a'(si),  a'(s2))  |  3  si  €  S'^faf/!',S2  €  Sk}.  Thus,  successive  refined  models  will 
exclude  previously  explored  counterexamples.  A  method  for  the  refinement  of  abstract 
models  for  infinite-state  systems  will  be  presented  in  the  next  section. 
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3  Refinement  of  Abstract  Models 


This  section  presents  a  specific  method  for  refining  an  abstract  model  A.  The  main 
idea  is  to  directly  use  the  information  obtained  from  the  validation  procedure  to  refine 
certain  abstract  states.  Assume  that  the  abstract  model  includes  a  transition  between  Si 
and  .§2,  while  the  validation  of  the  counterexample  has  revealed  that  only  a  subset  of 
concrete  states  in  S2  :=  cc_1  (.§2)  is  reachable  from  concrete  states  in  S 1  :=  ct_1(si). 
In  this  case  we  refine  A  by  splitting  §2  into  two  new  states.  The  first  one,  denoted  by 
preach ^  represents  the  reachable  subset  of  S2,  given  by  S £each  ~  succ(Si)  IT  S2.  The 
second  one,  denoted  by  s'2nmp .  represents  the  complement  of  the  reachable  part,  given 
by  S2omp  '■=  S'2  \  S^ach .  In  addition,  the  abstraction  function  that  maps  concrete 
states  to  abstract  ones  also  has  to  be  refined. 

Definition  6  State  Splitting.  Consider  a  concrete  model  C  =  (S,Sq,E)  and  an  ab¬ 
stract  model  A  =  (S,  So,  E)  with  an  abstraction  function  a  :  S  — >  S.  Let  (si,  S2)  G  E 
be  a  transition  of  a  counterexample  a.  Then,  we  define  psput  to  be  a  function  that 
maps  A,  a,  and  (si,  S2)  G  E  onto  both  an  abstract  model  A'  =  (S',  S'0,  E')  and  an 
abstraction  function  a!  :  S  — »  S',  i.e.,  (A1  ,a')  =  pspiit(A,  a,  (§1,  §2)),  defined  as 
follows: 

•  S' =  (S\  {s2})  U  {§rch,  sc2°mp} 

(  a(s)  if  s  qL  S2 

•  a'(s)  =  {  sr2each  if  s  G  Sr2each 

{  sc2omp  if  s  G  S2°mp 

•  S'0  =  {s'  G  &\ot'(&)  G  ^0} 

•  E'  =  {(«!,  S2)  £  S'  x  5"|3si,  §2  G  S  :  (si,  s2)  G  E  A  Si  =  a''(s[)  A  s2  = 

«/,(s,2)}\{(s1,sr,np)} 

where  a"  :  S'  — >  S  maps  s'  to  itself  if  s'  ^  {s2each ,  s2omp},  and  to  §2 
otherwise.  o 

Lemma  2  Let  A  =  ( S ,  So,  E)  be  an  abstract  model  of  C  =  (S,  So,  E)  with  abstrac¬ 
tion  function  a  :  S  —>  S.  For  a  given  transition  (§1,  §2)  G  E,  assume  that  S2each  ^  0. 
Then  (A’ ,  a')  :=  psput(A,  a,  (si,  S2))  is  a  refinement  of  A,  i.e.,  A  ^  A'  >z.  C.  □ 

As  a  next  step,  we  consider  the  case  where  the  set  of  successors  of  S\  and  the  set 
S2  are  disjoint.  In  this  case,  we  can  simply  omit  the  corresponding  abstract  transition. 

Definition  7  Transition  Purging.  The  function  ppurge  maps  an  abstract  model  A  = 
(S,  So,  E),  an  abstraction  function  a  :  S  — >  S  and  a  transition  (si,  S2)  G  E  to  A'  = 
(S,So,E')Wi\hE' =  E\{(h,S2)}.  o 


5 


Lemma  3  Let  A  =  ( S ,  So,  E)  be  an  abstract  model  of  C  =  ( S ,  So,  E )  with  the  ab¬ 
straction  function  a  :  S  — >  S.  For  a  given  transition  (si,S2)  €  E,  assume  that 
greach  _  q  Then  A!  :=  pPurge(A ,  a,  (si,  S2))  is  a  refinement  of  A,  i.e.,  A  >z  A! 

C. 


Based  on  these  results,  we  now  present  a  more  specific  formulation  of  the  Cegar 
algorithm  in  Fig.  2,  called  Infinite-State-Cegar,  which  uses  the  functions  psput 
and  Ppurge  for  refinement. 

ALGORITHM:  Infinite-State-Cegar 
INPUT:  Concrete  model  C  and  a  set  of  bad  states  B 
OUTPUT:  B  is  (or  is  not)  reachable 


Generate  initial  abstract  model  A  and  abstraction  function  a 

B  :=  a(B) 

Generate  counterexample  a  =  (s0, . . .  ,  )  by  model  checking  of  A  wrt  B 

S™ch  :=  a-\s0) 

WHILE  a  exists  DO 

//  validation  of  counterexample 
k:=  0 

WHILE  S£each  ^  0  AND  k  <  TO  DO 
k  :=  k  +  1 

greach  succ^^h)  (~1  a"1  (sfc) 

ENDDO 

//  if  counterexample  is  validated,  then  terminate,  else  refine 
IF  S™ach  flB/0  THEN  terminate  with  “B  reachable” 

ELSE 

FOR  1  =  1,...  ,k 

//  split  abstract  state  s;  into  two:  one  that  corresponds 
//  to  S[each  and  one  that  corresponds  to  a_1(s;)  \  S[each 
IF  S[each  ^  a~ \§l) 

THEN  ( A ,  a)  :=  p Sput (A,  a,  (sz_ i,  sz)) 

END  IF 
ENDFOR 


//  remove  spurious  transition  between  i  and  Sk 

A  I—  Ppurge(A ,  Ot, 

Generate  a  by  model  checking  of  A  wrt  B 

END  IF 


ENDDO 

Terminate  with  not  reachable” 


Figure  2:  Infinite-State-Cegar. 

Correctness  of  the  algorithm  is  implied  by  the  following  lemma.1  Note  that  termi¬ 
nation  of  the  algorithm  cannot  be  guaranteed  as  the  number  of  states  in  the  concrete 

1  The  proofs  of  all  lemmas  in  the  paper  can  be  found  in  the  appendix. 
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model  may  be  infinite,  and  a  finite  abstract  model  to  verify  (or  disprove)  the  given 
property  may  not  exist  [14], 

Lemma  4  If  the  algorithm  terminates  with  “B  reachable”,  then  C  |/  AG-  B.  and  if 
the  algorithm  terminates  with  “B  not  reachable”,  then  C  \=  AG- B.  □ 

The  proposed  procedure  of  validating  counterexamples  and  refining  abstract  mod¬ 
els  is  based  on  the  computation  of  successor  states.  Alternatively,  one  could  formulate 
a  similar  algorithm  that  uses  sets  of  predecessors,  or  even  a  combination  of  both  as 
presented  in  [1]  and  [10], 

The  Infinite-State-Cegar  algorithm  in  Fig.  2  is  based  on  the  assumption  that 
sets  of  successor  states  are  exactly  computable.  Unfortunately,  this  rarely  occurs  in 
practice  for  hybrid  systems,  and  one  must  settle  for  an  over-approximation  succ  to  the 
successor  function  succ.  In  this  case,  the  counterexample  validation  step  may  become 
overly  conservative,  in  that  the  algorithm  may  fail  to  refute  a  spurious  counterexample.2 
On  the  other  hand,  we  have: 

Lemma  5  If  the  Infinite-State-Cegar  algorithm  using  over-approximations  in  com¬ 
puting  successor  states  terminates  with  “B  not  reachable”,  then  C  \=  AG-  B.  □ 

3.1  Example 

Let  us  borrow  Hofstadter’s  “MU-puzzle”[15]  to  illustrate  the  salient  issues  at  hand. 

The  MlU-system  is  a  simple  rewrite  system  over  alphabet  £  =  { M ,  I ,  U },  with 
initial  string  Ml,  and  production  rules 


1. 

xl  — ► 

xlU 

2. 

Mx  — 

->  Mxx 

3. 

xllly  - 

— >  xU y 

4. 

xUU  y 

— >  xy 

where  x,y  £  £*  are  arbitrary  finite  strings,  and  string  concatenation  is  denoted  as 
simple  juxtaposition.  For  example,  from  the  initial  string  Ml,  one  can  derive  the  new 
string  M I U  through  an  application  of  Rule  1 . 

The  MU-puzzle  asks  whether  this  rewrite  system  can  ever  derive  the  string  MU. 
We  model  this  as  a  safety  property  over  an  infinite  transition  system  C  =  ( S ,  So,  E), 
as  follows.  Let  S  =  £*,  So  =  {Ml},  and 

E  =  {(xl,  xlU),  (Mx,  Mxx),  (xlllt/,  xU y),  (xUU y,  xy)  \  x,  y  £  S*}  . 

Let  B  =  {MU}.  It  is  clear  that  C  1=  AG- B  if  and  only  if  the  MU-puzzle  cannot  be 
solved,  in  other  words  if  the  string  MU  cannot  be  derived  in  the  MlU-system. 

The  abstract  models  of  C  that  we  shall  consider  Tump  together’  states  (i.e.,  £- 
strings)  of  S.  The  first  step  is  to  choose  an  initial  abstract  model.  The  only  obligatory 

“We  discuss  this  point  in  greater  detail  in  the  next  section. 
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requirement  is  that  this  model  should  separate  the  initial  state(s)  from  the  bad  state(s). 
An  additional  desirable  property  of  the  initial  partition  is  that  it  should  also  be  reason¬ 
ably  coarse,  so  as  to  minimize  the  number  of  abstract  states  and  correspondingly  allow 
for  efficient  model  checking. 

Let  us  first  introduce  some  auxiliary  definitions.  For  x  £  E*,  let  '\x  represent  the 
number  of  times  the  symbol  I  appears  in  x,  modulo  3.  Next,  for  j  =  0,1,2,  let  S=:l  = 
{s  €  S  |  His  =  j}.  Our  initial  abstract  model  is  A\  —  ({5=1,  <S'=0,2},  {S'=1},  E\), 
where  S=0,2  =  S=0  U  S=2  and  the  transition  relation  E\  is  depicted  below: 


The  abstraction  function  ot\  :  S  — >  {S'-1,  S-0,2}  satisfies  «i(s)  =  S-1  if  )J|S  =  1, 
and  ai(s)  =  S=0,2  otherwise.  Our  set  of  abstract  bad  states  is  B\  =  a\ (B)  = 
a1({MU})  =  {S-0'2}. 

We  now  observe  that  A\  A  AG— B\  since  there  is  a  path  (consisting  of  a  single 
transition)  from  the  initial  state  S=1  to  the  bad  state  S=0,2  £  B\.  However,  upon  vali¬ 
dation  over  the  concrete  system  C,  we  find  that  this  counterexample  is  in  fact  spurious, 
since  the  only  one-step  transitions  from  the  single  initial  state  Ml  £  So  are  M I  — >  M I U 
(as  per  Rule  1)  and  Ml  — »  Mil  (Rule  2).  In  other  words,  MU  €  B  is  not  reachable  in 
one  step. 

We  must  now  refine  our  initial  abstraction  in  such  a  way  as  to  exclude  this  coun¬ 
terexample.  As  discussed  above,  we  would  normally  base  our  next  refinement  on  the 
successor  function  succ.  Unfortunately,  not  only  is  succ(S=1)  difficult  to  compute, 
but  in  fact  it  turns  out  that  iterating  the  refinement-counterexample-validation  cycle 
with  succ  would  never  terminate,  and  thus  would  never  allow  us  to  decide  whether 
C  N  AG^B  or  not. 

Fortunately,  we  are  able  to  rely  on  an  over-approximation  succ  of  the  successor 
states:  succ(s)  =  {u  £  S  |  (ji u  =  (ji s  V  Jti u  =  2jjis}.  Glancing  at  the  production  Rules 
1^1,  it  is  clear  that  succ  is  indeed  an  over-approximation  of  succ ;  for  example.  Rule  3 
removes  three  I’s  from  one  term  to  the  next  (and  therefore  leaves  the  same  number  of 
I’s  modulo  3),  whereas  Rule  2  doubles  the  number  of  I’s  of  a  term. 

Applying  Infinite-State-Cegar  leads  to  the  second  abstraction 


a2  =  ({^=°,^=1,5=2},{^=1},l;2), 


where  _E2  is  depicted  below: 

-OXX® 

The  abstraction  function  a2  :  S  — >  {S=0 ,  S=1 ,  S=2}  takes  s  £  S  to  S'=^|S. 
We  have  split  the  previous  abstract  state  S=0’2  into  the  two  states  S=0  and  S=2, 
and  updated  our  transition  relation  accordingly.  Our  set  of  abstract  bad  states  is  now 

B2=tt2(B)=a2({MU})  =  {5E0}. 

We  observe  straightaway  that  A2  1=  AG-/i2.  Lemma  5  then  implies  that  A  1= 
AG^B,  and  hence  that  the  MlU-system  cannot  derive  the  string  MU. 


In  general,  there  are  no  hard  and  fast  rules  to  decide  on  an  initial  abstraction  or  a 
suitable  over-approximation  to  the  successor  function.  As  this  example  demonstrates, 
these  choices  may  require  a  good  deal  of  insight.  However,  we  show  in  Section  5  that 
for  hybrid  systems  one  can  find  effective  heuristics  to  derive  candidate  initial  abstrac¬ 
tions  and  successor  functions. 


4  Hybrid  Systems 

Hybrid  systems  are  a  class  of  infinite  state  systems  that  include  both  continuous  and 
discrete  state  variables.  This  section  presents  the  syntax  and  semantics  of  hybrid  au¬ 
tomata,  which  are  used  to  model  hybrid  systems.  We  will  illustrate  these  definitions 
with  an  example  that  models  a  simple  car  controller.  The  same  example  will  be  used  in 
later  sections  to  illustrate  the  CEGAR  approach  to  the  verification  of  hybrid  systems. 

4.1  Definition  of  Hybrid  Automata 

Definition  8  Syntax  of  the  Hybrid  Automaton  HA.  A  hybrid  automaton  is  a  tuple 
HA  =  (Z,  z0,  X,  inv,  X0,T,  g ,  j,  f)  where 

•  Z  is  a  finite  set  of  locations  with  an  initial  location  Zo  £  Z. 

•  X  C  R"  is  the  continuous  state  space. 

•  inv  :  Z  — >  2X  assigns  to  each  location  z  £  Z  an  invariant  of  the  form  inv(z)  C 
X. 

•  Xo  C  X  is  the  set  of  initial  continuous  states.  The  set  of  initial  hybrid  states  of 
HA  is  thus  given  by  the  set  of  states  {ip}  x  Xq. 

•  T  C  Z  x  Z  is  the  set  of  discrete  transitions  between  locations. 

•  g  :  T  — >  2a  assigns  a  guard  set  g((zi,Z2))  C  X  to  {z\,  zf)  £  T. 

•  j  :  T  x  X  — >  2X  assigns  to  each  pair  (z\ ,  zf)  &  T  and  x  £  g((zi,Z2))  a  jump 
set  j((zi,z2),x)  C  X. 

•  /  :  Z  — >  (X  — ■>  Rn)  assigns  to  each  location  z  £  Z  a  continuous  vector 

field  f(z).  We  use  the  notation  fz  for  f(z).  The  evolution  of  the  continuous 
behavior  in  location  z  is  governed  by  the  differential  equation  \(t)  =  fz(x(t))- 
We  assume  that  the  differential  equation  has  a  unique  solution  for  each  initial 
value  x(0)  £  inv(z).  o 

The  semantics  of  HA  is  defined  by  means  of  a  trace  transition  system.  Each  state  (z,  x ) 
in  the  trace  transition  system  corresponds  to  a  continuous  state  x  within  location  z.  Two 
such  states,  (zi,a:i)  and  (z2,  X2),  are  connected  by  a  transition  in  the  trace  transition 
system  if  and  only  if  state  (z 2,  X2)  can  be  reached  from  state  (zi,X\)  by  a  continuous 
evolution  within  location  z\  followed  by  a  discrete  transition  to  location  z^. 
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Definition  9  Semantics  of  the  Hybrid  Automaton  HA.  The  semantics  of  a  hybrid  au¬ 
tomaton  HA  is  a  transition  system  TTS  =  ( S ,  So,  E )  with: 

•  the  set  of  all  hybrid  states  (z,  x )  of  HA, 

S  =  U  U  w 

zGZ  x£inv(z) 

•  the  set  of  initial  hybrid  states  So  =  {20}  x  Xq, 

•  transitions  (si,S2)  G  E  with  si  =  (27, 27),  S2  =  (z2,X2),  iff  there  exists 
(zi,  Z2)  G  T  and  a  trajectory  \  ■  [0,  r]  — >  X  for  some  r  G  K>0  such  that: 

-  X(0)  =  Xu  x(t)  G  g((z1,z2)), 

-  X2  G  j((z1,Z2),x(T)), 

-  x{t)  =  for  t  G  [0,  t\, 

-  x(t)  €  inv(zi)  for  t  G  [0,r], 

-  x2  &  inv(z2 )• 

A  path  a  =  (so,  Si,  S2,  ■  ■  ■  ,  sm)  of  TTS  is  called  a  trace  of  HA,  and  we  refer  to  TTS 
as  the  trace  transition  system  of  HA.  o 

Definition  10  Safety  of  a  Hybrid  Automaton.  For  a  hybrid  automaton  HA  with  a  se¬ 
mantics  as  in  Defn.  9,  let  zi,  G  Z\{zq]  denote  an  unsafe  location.  HA  is  said  to  be 
safe  with  respect  to  zi„  denoted  by  TTS  \=  AG-i Zb  iff  for  all  traces  a  there  is  no  s  G  er 
with  s  =  (zb,  x)  for  some  x  G  X.  We  write  TTS  AG-> Zb  otherwise.  o 

The  extension  of  the  analysis  task  to  multiple  initial  locations  and/or  multiple  un¬ 
safe  locations  is  straightforward  but  is  omitted  here  for  simplicity. 

4.2  Example 

As  a  motivating  example,  we  consider  a  simple  controller  that  steers  a  car  along  a 
straight  road.  The  car  is  assumed  to  drive  at  a  constant  speed  r  =  2,  and  its  motion 
is  modeled  by  the  distance  x  from  the  middle  of  the  road  (x  -  0  corresponds  to  the 
middle)  and  the  heading  angle  7  (7  =  0  corresponds  to  moving  straight  ahead).  Fig.  3 
shows  a  scenario  in  which  the  car  is  initially  on  the  road.  The  controller  is  able  to 
detect  whether  the  car  is  on  the  left  or  right  border  (i.e.  x  <  —  1,  x  >  1).  Whenever  the 
car  enters  the  left  border,  the  controller  forces  it  to  turn  right  until  the  car  is  back  on 
the  road  again.  Then  a  left  turn  is  initiated,  and  continued  until  the  car  is  again  going 
straight  ahead  in  the  direction  of  the  road,  i.e.  when  the  heading  is  aligned  with  the 
road  (7  =  0).  A  similar  strategy  is  employed  when  the  car  enters  the  right  border. 

Fig.  4  shows  a  hybrid  automaton  model  for  this  example.  Besides  the  position  x  and 
the  heading  angle  7,  the  description  includes  an  internal  timer  c,  that  the  controller  uses 
to  time  the  steering  manoeuvres.  The  differential  equations  for  these  three  continous 
variables  depend  on  the  location:  we  have  x  =  —r  ■  sin{y)  in  all  locations  except 
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Figure  3:  i)  Initially,  the  car  drives  on  the  road  with  heading  angle  7.  ii)  If  the  controller 
detects  that  the  car  has  left  the  road,  it  corrects  the  heading  by  turning  right  to  avoid  the 
canal.  iii)  Once  the  car  is  back  on  the  road,  a  left  turn  is  initiated  until  the  car  moves 
straight  again. 


in.canai.  The  derivative  of  7  varies  when  a  border  is  reached.  On  the  border  the 
motion  of  the  car  describes  an  arc  with  the  angular  velocity  7  =  —  ui  =  — 7t/4  (or 
u  =  7t/4  respectively),  i.e.,  the  arc  is  part  of  a  circle  with  radius  r/oj.  The  timer  c 
measures  the  time  period  which  the  car  spends  on  the  border.  In  the  correction  modes 
the  timer  decreases  with  double  rate,  i.e.,  the  correction  takes  half  the  time  as  that 
spent  previously  by  the  car  on  the  border.  Since  the  sign  of  7  is  reversed  when  the 
car  moves  back  on  the  road,  the  angle  has  the  value  zero  when  the  correction  mode  is 
left  (c  =  0),  i.e.,  the  car  then  moves  along  the  road.  During  this  correction  it  might, 
however,  happen  that  the  other  border  is  reached,  which  means  that  the  controller  then 
switches  to  the  strategy  of  the  corresponding  location. 

The  three  continuous  variables  are  initialized  to  —  1  <  x  <  1  (the  car  is  on  the 
road),  —  7t/4  <  7  <  7r/4,  and  c  =  0.  It  has  to  be  verified  for  this  set  of  initial 
states  whether  the  given  control  strategy  guarantees  that  the  unsafe  location  in  canal 
( Zb )  is  never  reached.  The  following  sections  explain  how  this  task  can  be  solved  by 
abstraction-based  and  counterexample-guided  verification. 


Figure  4:  Hybrid  automaton  that  models  the  car  steering  example. 
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5  Refinement  of  Abstractions  for  Hybrid  Systems 


This  section  applies  the  general  concepts  of  Section  3  to  hybrid  systems.  We  present 
specific  solutions  for  the  two  crucial  steps  in  Infinite-State-Cegar,  validation  and 
refinement.  The  key  to  the  validation  step  is  the  computation  of  successor  states  for 
a  given  set  of  states  in  the  trace  transition  system.  Starting  from  the  initial  set,  the 
validation  procedure  computes  the  successors  along  the  counterexample  until  either 
the  unsafe  location  Zb  is  reached  or  a  transition  is  determined  to  be  spurious.  The 
computation  of  sets  of  successor  states  is  usually  the  most  expensive  step  in  hybrid 
system  verification.  Successor  sets  can  be  computed  and  represented  exactly  only 
for  certain  sub-classes  of  hybrid  systems  [16,  17].  However,  several  approaches  to 
over-approximate  successor  sets  have  been  published,  as  e.g.,  successor  set  approxi¬ 
mations  by  hyper-rectangles  [18],  general  polyhedra  [19],  projections  to  lower  dimen¬ 
sional  polyhedra  [20],  or  ellipsoids  [21].  Most  of  these  approaches  aim  at  providing  an 
efficient  way  to  obtain  conservative  but  tight  approximations  to  sets  of  reachable  states 
for  hybrid  systems. 

We  note  that  the  main  difficulties  introduced  by  hybrid  systems — as  opposed  to 
finite-state  or  discrete  infinite-state  systems  such  as  the  MlU-system — originate  from 
the  fact  that  the  transition  relation  for  hybrid  systems  is  implicit,  derived  from  differ¬ 
ential  equations  which  in  general  do  not  even  have  analytical  solutions.  Even  when 
analytical  solutions  are  available,  the  representation  and  computation  of  successor  sets 
is  non-trivial,  making  it  difficult  to  manufacture  reasonably  tight  over-approximations 
to  the  successor  function.  Consequently,  given  an  abstraction  function,  one  has  to 
construct  the  transition  relation  by  focusing  on  one  transition  at  a  time  in  the  abstract 
system.  By  contrast,  in  the  finite-state  and  discrete  infinite-state  cases,  one  can  usually 
define  the  transition  relation  for  an  abstraction  function  globally — many  transitions  can 
be  constructed  simultaneously. 

The  verification  framework  presented  here  can  include  different  techniques  to  over¬ 
approximate  the  set  of  successors.  The  idea  of  using  different  methods  is  motivated 
by  the  trade-off  between  the  accuracy  and  the  computational  complexity  of  different 
methods.  If,  e.g.,  a  faster  but  maybe  less  accurate  technique  is  sufficient  to  refute  a 
counterexample,  then  there  is  no  need  to  use  a  more  computationally  expensive  method. 

In  the  following,  we  first  describe  how  an  initial  abstraction  for  a  hybrid  automaton 
can  be  obtained,  and  then  focus  on  the  validation  of  counterexamples  and  refinement  of 
abstract  models  based  on  the  use  of  different  methods  for  computing  successor  states. 

5.1  Abstraction  of  Hybrid  Systems 


For  the  first  step  of  the  Infinite-State-Cegar  algorithm,  the  construction  of  an 
initial  abstraction,  we  introduce  one  abstract  state  for  each  location  of  HA.  This  means 
that  two  hybrid  states  ( Zi,Xi )  and  ( Zj,Xj )  of  TTS  are  mapped  to  the  same  abstract 
state  if  and  only  if  Zi  =  z3 .  This  rule  applies  for  all  but  the  initial  location,  for  which 
we  introduce  one  abstract  state  so  to  represent  all  initial  hybrid  states  of  TTS,  and 
another  one  (sq)  to  represent  the  remaining  hybrid  states  corresponding  to  the  location 
z0: 
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Definition  11  Initial  Abstraction  of  Hybrid  Systems.  Given  a  hybrid  automaton  HA 
with  Z  =  {zo,  Zi, ... ,  zUz },  let  S  denote  the  set  of  hybrid  states  as  defined  in  (1).  For 
i  £  {0, 1, . . .  ,  n2},  we  define  the  abstraction  function  a  :  S  — >  S  by: 

{So  if  i  =  0  A  x  €  X0 

Sq  if  i  =  0  A  x  X0  (2) 

§i  otherwise 

and  the  initial  abstract  model  A  =  ( S ,  So,  E )  is  defined  by  ( i  £  {0, 1, . . .  ,  n},  j  £ 

{0,1,...  , nz})\ 

*  S  {^g,  ^1}  •  •  •  5 

•  S0  =  {s0} 

•  E  =  £  T}  U  {(s^SjOIOo,^)  £  T}  U  {(s^s^lOi,^)  G  T} 

o 

The  initial  abstract  model  represents  the  discrete  structure  of  the  hybrid  system 
without  regard  to  the  continuous  dynamics  and  guards.  Given  this  definition,  it  has  to 
be  shown  that  A  is  indeed  an  abstract  model  of  the  underlying  trace  transition  system, 
i.e.,  that  it  fulfills  Defn.  2: 

Lemma  6  For  HA  with  trace  transition  system  TTS  =  {S,  Sq,  E ),  let  A  =  (5,  So,  E) 
denote  the  initial  abstract  model  for  TTS.  Then,  A  f  TTS.  □ 

Example  (cont.)  Fig.  5  depicts  the  initial  ab¬ 
stract  model  of  the  hybrid  system  in  Fig.  4.  It  is 
a  copy  of  the  discrete  part  of  the  hybrid  system, 
except  that  the  initial  location  is  divided  into 
two  parts:  s0  represents  the  states  in  location 
go_ahead  with  X  £  [—1,1],  7  €  [— 7t/4,7t/4] 
and  c  =  0,  and  Sg  all  other  states  in  go_ahead. 

The  abstract  states  Si  to  Sq  represent  the  hy¬ 
brid  states  of  the  other  locations  (left-border, 
right  -border,  correct-left,  correct-right, 
straight.ahead  and  in_canal,  respectively).  ^ 

5.2  Over-approximation  of  the  Sets  of  Successors 

We  now  turn  to  the  question  of  computing  sets  of  successor  states,  as  required  in  the 
validation  and  refinement  steps.  The  goal  is  to  use  different  over-approximations  with 
different  precisions  and  different  computational  requirements.  For  technical  reasons  it 
is  convenient  to  define  succ  in  terms  of  pairs  Si,  S2  C  S,  where  Si  is  a  set  of  source 
states  and  S2  is  a  set  of  potential  successor  states.  succ(S  1,  S2)  is  a  conservative 
approximation  of  those  sucessors  of  states  in  Si  that  lie  in  S2- 


Fig  5.  Initial  abstract  model  of  the 
hybrid  system  depicted  in  Fig.  4 
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Definition  12  Over-approximation  of  successor  states.  Let  II A  be  a  hybrid  automaton 
with  the  trace  transition  system  TTS  =  (S.  So,  E),  and  let  A  and  a  be  defined  as  in 
Defn.  11.  For  a  transition  (si,  §2)  £  E  of  A,  we  call  Si  :=  a”1(si)  the  set  of  hybrid 
source  states  and  S2  '■=  a-1  (,§2)  the  set  of  potential  hybrid  successor  states.  Then 
succ  :  (2s  x  2s)  — >  2s  is  an  over-approximation  of  the  hybrid  successor  states  in  S2 
iff  the  following  holds: 

•  succ(Si,  S2)  C  S2, 

•  succ(Si,  S2)  2  succ(S  1)  fl  S2.  o 

A  possible  explicit  realization  of  the  operator  succ  with  respect  to  a  given  set  S2 
combines  the  following  steps:  (a)  By  approximating  the  continuous  evolution  for  all 
states  in  Si,  the  reachable  subset  of  the  guard  set  g(t)  is  determined,  where  t  = 
(21,22)  £  T  is  the  transition  of  HA  that  corresponds  to  the  transition  (si,S2)  £  E 
of  A.  Usually,  this  step  is  the  most  costly  of  the  whole  verification  procedure;  (b)  the 
jump  function  j(t,  x)  is  applied  to  all  hybrid  states  (z\.  x)  which  are  in  the  reachable 
subset  of  g(t)\  (c)  the  image  of  j(t,  x)  is  intersected  with  the  set  S2  of  potential  hybrid 
successor  states. 


Figure  6:  All  trajectories  that  originate  in  Si  leave  the  invariant  when  c  =  0,  and  none 
of  them  comes  close  to  S2.  Figure  (i)  shows  the  result  of  the  optimization  method. 
Figure  (ii)  the  result  of  the  method  that  enclose  the  trajectories  by  polyhedra. 


Example  (cont.)  Our  prototype  implementation  uses  two  different  methods,  succcoarse 
and  succ  tight,  to  over-approximate  the  set  of  successor  states.  Fig.  6  illustrates  these 
two  methods  for  the  discrete  transition  from  correct_right  to  left  border.  For  loca¬ 
tion  correct-right  we  choose  Si  as  subset  of  the  plane  x  =  1,  and  S2  as  all  states  of 
location  ieft_border  that  satisfy  the  invariant  —2  <  x  <  — 1.  Fig.  6  depicts  Si  and 
the  face  of  S2  that  coincides  with  the  guard  x  =  —  1.  The  transition  is  not  spurious  if 
there  exists  a  trajectory  that  starts  in  Si  and  ends  in  S2  without  leaving  the  invariant  of 
correct_right  (—1  <  x  <  1  A  c  >  0).  Fig.  6  (i)  depicts  a  number  of  trajectories  that 
start  in  Si,  none  of  which  reach  S2. 

The  first  method  succcoarse  poses  the  existence  question  for  a  trajectory  between 
Si  and  S2  as  an  optimization  problem.  The  distance  between  a  trajectory  and  S2  is 
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defined  as  the  minimum  distance  between  all  points  on  the  trajectory  and  52 .  If  the 
global  minimum  over  all  trajectories  that  start  in  5i  is  strictly  greater  than  zero,  then 
no  successor  state  of  5i  exists  in  52-  In  this  case  succcoarse{S i,  52)  returns  an  empty 
set.  If  the  minimum  distance  is  zero,  at  least  one  corresponding  concrete  path  exists, 
and  succcoarse{S  1, 52)  returns  the  entire  set  S-2  as  an  over-approximation  of  the  set  of 
successor  states.  The  bold  trajectory  in  Fig.  6  (i)  is  the  optimal  trajectory.  Its  distance 
to  S2  is  greater  than  zero,  and  there  is  hence  no  trajectory  from  5 1  to  52- 

The  second  method  succught.  computes  polyhedra  that  enclose  all  trajectories  that 
originate  in  S\ .  This  over-approximation  with  polyhedra  is  based  on  work  presented 
in  [19].  The  set  of  successor  states  succtight{S  1,  S'2)  is  then  obtained  by  intersecting 
the  polyhedra  with  52-  Fig.  6  (ii)  shows  that  this  intersection  is  empty,  i.e.  there  are  no 
successors  of  5 1  in  52-  ♦ 

5.3  Validation  and  Refinement 

The  Infinite-State-Cegar  algorithm  makes  a  clear  distinction  between  the  val¬ 
idation  of  a  counterexample,  and  the  refinement  of  the  abstract  model.  For  hybrid 
systems,  we  propose  a  slightly  different  approach,  in  which  the  steps  of  validation  and 
refinement  are  interleaved.  We  assume  to  have  a  set  of  over-approximation  techniques 
succ\, . . .  ,  succn  that  can  (but  not  necessarily  need  to)  establish  a  hierarchy  of  coarse 
to  tight  approximations. 

The  proposed  algorithm  for  the  combined  validation  and  refinement  steps  of  a  coun¬ 
terexample  is  shown  in  Fig.  7.  Let  a  =  (s0, . . .  ,  sm )  denote  a  counterexample  of  the 
abstract  model  A.  The  algorithm  consists  of  two  nested  loops.  The  outer  loop  corre¬ 
sponds  to  checking  each  transition  of  the  counterexample.  The  inner  loop  applies  each 
of  the  over-approximation  techniques  to  the  current  transition  of  the  counterexample, 
and,  depending  on  the  result,  one  of  the  two  refinement  operations  is  executed:  If  an 
over-approximation  technique  succi  reveals  that  the  current  transition  is  spurious,  i.e. 
preach  _  0^  j-hen  transiti0n  is  removed  from  the  abstract  model  by  ppurge-  When 
a  transition  is  removed,  the  set  of  behaviors  of  A  does  not  include  the  current  coun¬ 
terexample  anymore,  and  thus  the  combined  validation  and  refinement  of  the  current 
counterexample  is  completed. 

If  on  the  other  hand,  succi  returns  a  non-empty  set  S^each  and  this  set  is  a  true  subset 
of  the  states  corresponding  to  s>,  the  function  psput  divides  ,%■  into  two  states  §^each 
and  §lomp  (cf.  Defn.  6).  In  this  case  a  =  (s0, .......  ,  sk-i,  §leach ,  sk+i  ■  ■■  ,  sm ) 

remains  a  counterexample  of  the  refined  model.  Thus  the  algorithm  continues  with 
the  next  transition  ( k  +  1)  until  either  SJleach  =  0  or  until  the  last  transition  of  the 
counterexample  is  validated. 

There  is  some  freedom  in  combining  the  steps  of  validation  and  refinement,  i.e.,  the 
scheme  in  Fig.  7  is  just  one  possible  implementation.  One  interesting  alternative  is  to 
apply  the  coarsest  method  for  validation  first  to  all  transitions  in  the  abstract  counterex¬ 
ample,  or  to  apply  state  splitting  ( psput )  only  based  on  the  result  of  the  most  accurate 
approximation  method  succn . 

The  algorithm  as  proposed  in  Fig.  7  has  two  possible  outcomes:  either  it  is  proved 
that  a  forbidden  state  cannot  be  reached  or  that  there  exists  a  counterexample  that  can¬ 
not  be  refuted.  Since  the  validation  procedure  relies  on  over-approximations,  it  can- 
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FOR  k  =  1, . . .  ,m 


FOR  1  =  1,...  ,  n 

Srkeach  :=  mcci{Srke^h,a~l{sk)) 

IF  Skeach  =  0 

^  •  P purge  tX,  (s/c—  1 , 

RETURN  //jump  out  of  both  loops 

ELSEIF  Sleach  C  a-1(sfc) 

(^4.,  Ct)  . —  Psplit(A,  Ot ,  (Sfc_i,  Sfc)) 
END  IF 
ENDFOR 

ENDFOR 


Figure  7:  Refinement  and  validation  steps  for  hybrid  systems. 


not  be  guaranteed  that  this  abstract  counterexample  corresponds  to  a  concrete  one. 
In  this  case,  under-approximations  of  sets  of  successor  states  can  possibly  be  used 
to  prove  that  a  counterexample  exists:  Assume  that  the  procedure  terminates  with  a 
counterexample  a  =  (s0,  Si, . . .  ,  s^, . . ,  ,  sm),  no  transition  of  which  could  be  re¬ 
futed.  Similarly  to  Defn.  12,  we  can  define  an  under-approximation  of  successor  states 
preach  _  succ(S^ea^h ,  a~1(s/c))  which  returns  a  set  Skeach  C  a-1(sfc)  guaranteed  to 
contain  only  true  successors  of  Skif{h .  If  this  operator  is  applied  along  the  counterex¬ 
ample  (from  k  =  1  to  k  =  m )  and  S^each  ^  0,  there  exists  at  least  one  path  for  the 
hybrid  system  which  violates  the  safety  property. 

As  noted  earlier,  when  using  over-approximations,  there  is  no  guarantee  that  a  spu¬ 
rious  counterexample  can  be  refuted.  The  likelihood  of  refuting  spurious  counterex¬ 
amples  can  be  increased,  however,  by  using  tighter  polyhedral  approximations.  When 
the  over-approximations  are  tight,  the  presence  of  an  unrefuted  yet  spurious  counterex¬ 
ample  is  indicative  of  a  very  slim  error  margin  separating  the  reachable  states  from 
the  bad  ones.  We  would  argue  that  when  an  unrefuted  spurious  counterexample  is  en¬ 
countered,  it  may  be  better  to  redesign  the  implementation  of  our  hybrid  system  so  as 
to  increase  the  error  margin,  rather  than  risk  facing  an  actual  failure  in  a  real-world 
implementation  of  this  system. 

If  we  compare  the  verification  algorithm  for  hybrid  systems  presented  here  to  sim¬ 
ilar  approaches  in  the  literature  such  as  [9],  we  note  that  the  main  advantage  of  our 
method  is  that,  in  relying  on  spurious  counterexamples  to  refine  our  successive  ab¬ 
stract  models,  we  are  focusing  on  the  local  properties  of  our  system  that  are  relevant 
to  establish  or  invalidate  a  particular  specification.  This  leaves  us  free,  for  instance,  to 
employ  cheap  gross  over-approximations  of  successor  states  in  irrelevant  areas  of  the 
hybrid  system. 
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Figure  8:  Counterexample-guided  abstraction  illustrated  for  the  car  steering  problem. 


Example  (cont.)  The  requirement  that  the  hybrid  model  in  Fig.  4  should  never  en¬ 
ter  the  location  in_canai  translates  into  the  reachability  question  for  state  S6  of  the 
abstract  model  in  Fig.  5.  The  first  counterexample  for  the  initial  abstract  model  is 
<Ji  =  (soi  Si,  A'y)  (see  Fig.  8  (i)).  The  validation  procedure  considers  first  the  transition 
(so,  Si)  which  corresponds  to  the  transition  between  go_ahead  and  leftJaorder  in  the 
hybrid  automaton.  As  a  first  step,  succcoarSe(So ,  a_1(si))  is  computed  with  the  result 
that  the  minimum  distance  over  all  initial  states  is  zero.  This  is  obvious  from  the  fact 
that  those  states  of  the  initial  set  for  which  x  =  —1  enable  the  transition  guard  im¬ 
mediately.  Thus,  succ COarse  returns  the  entire  invariant  of  location  left-border  as  set 
S2.  The  next  step  is  to  compute  lS'£eac,1  =  succ  tight  {.So,  a_1(si)).  The  algorithm  then 
splits  Si  so  that  Si  represents  the  set  S™0,0*1,  and  the  new  abstract  state  represents 
S2  \  Sr2each  (Fig.  8  (ii)). 

Since  the  counterexample  has  not  been  eliminated  yet,  the  transition  (si,sg)  is 
considered  next.  Method  succcoarse  finds  that  the  minimal  distance  between  the  trajec¬ 
tories  that  start  in  S'!2f:ach  and  the  guard  x  =  —2  is  greater  than  zero.  This  means  that  no 
trajectory  reaches  the  guard,  and  the  corresponding  transition  is  removed  (Fig.  8  (iii)). 

The  procedure  continues  with  the  next  counterexample  02  =  (so,  s2,  S4,  s'1;  sy),  as 
depicted  in  Fig.  8  (iv).  As  for  the  first  counterexample,  the  abstract  state  s2  is  split  into 
the  states  that  are  reachable  from  the  initial  set  Sq,  and  the  remainder  (Fig.  8  (v)).  Then, 
the  procedure  moves  forward  one  transition  and  splits  state  S4  as  a  result  of  applying 
succ  tight-  The  reachable  part  is  represented  by  S4  in  Fig.  8  (vi).  Method  succcoarse 
then  finds  that  one  cannot  reach  any  state  that  is  represented  by  s\  from  this  set,  and 
the  transition  (S4,  Sj_)  can  be  deleted  from  A  (Fig.  8  (vii)). 

The  final  counterexample  is  173  =  (sq,  si,  S3,  s2,  §4,  s^,  se).  The  state  si  was  al¬ 
ready  split  for  the  first  counterexample.  Similarly  to  the  procedure  for  the  counterex- 
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Figure  9:  Validation  an  refinement  of  fragments  illustrated  for  a  counterexample  of  the 
car  steering  problem. 


ample  a 2,  abstract  state  S3  is  split  as  depicted  in  Fig.  8  (viii).  It  can  then  be  shown  that 
transition  (s3,S2)  is  spurious,  which  eliminates  the  last  counterexample  (Fig.  8  (ix)). 
Consequently,  the  abstract  state  §6  is  not  reachable,  and  thus  the  same  applies  for  the 
location  in.canai  of  the  hybrid  automaton.  ♦ 

5.4  Validation  and  Refinement  of  Fragments  of  Counterexamples 

The  initial  abstraction  of  the  example  in  Fig.  5  contains  only  two  counterexamples 
without  cycles,  (so,  Si,  s@)  and  (so,  S2,  S4,  Si,  sg).  However,  to  show  that  no  bad  state 
is  reachable,  three  counterexamples  in  the  series  of  abstractions  were  considered  and 
refuted  (cf.  Fig.  8).  Hence,  refining  an  abstract  model,  to  eliminate  a  particular  coun¬ 
terexample,  may  introduce  new  counterexamples.  In  this  subsection  we  show  that  con¬ 
sidering  fragments  of  counterexamples,  rather  than  complete  counterexamples,  can  re¬ 
duce  the  total  number  of  counterexample  that  have  to  be  considered.  This  often  results 
in  a  significant  speed-up  of  the  verification  process. 

The  main  reason  for  considering  fragments  is  as  follows.  The  validation  and  re¬ 
finement  routine  that  we  presented  in  the  previous  subsection  typically  refutes  a  coun¬ 
terexample  (indeed,  when  a  counterexample  is  not  refuted,  the  algorithm  stops).  The 
counterexample  refutation  case  can  be  made  more  efficient  by  the  following  observa¬ 
tion.  In  the  previous  subsection,  a  (spurious)  counterexample  (so, . . .  ,  sm)  is  refuted 
by  showing  that  no  corresponding  concrete  path  (sq,...  ,sm)  exists.  Interestingly, 
showing  that  any  one  of  the  transitions  (sj,  Sj+i)  in  the  counterexample  is  spurious  is 
a  sufficient  condition  for  the  non-existence  of  a  corresponding  concrete  path. 

Alternatively,  we  can  also  conclude  that  a  counterexample  is  spurious  if  one  of 
the  fragments  (s*,  Sj+i,  Sj+2)  is  spurious,  in  other  words  if  there  is  no  corresponding 
concrete  path  (s*,  Sj+i,  Si+2)  in  the  concrete  model.  In  general,  one  can  define  spurious 
fragments  of  length  n.  Validation  and  refinement  of  such  fragments  of  counterexamples 
can  be  done  in  a  similar  way  as  for  complete  counterexamples. 

We  now  illustrate  that  validation  and  refinement  of  short  fragments  can  increase 
the  efficiency  of  the  verification  process.  Clearly,  if  one  can  refute  a  fragment  of  a 
counterexample,  e.g.,  a  single  transition,  then  the  entire  counterexample  is  spurious.  If 
a  counterexample  can  be  refuted  by  considering  a  fragment  of  length  n,  it  can  surely  be 
refuted  by  considering  fragments  of  length  n+  1.  However,  using  a  fragment  of  length 
n+l  may  have  the  undesirable  side-effect  of  introducing  new  counterexamples,  or  at 
least  more  counterexamples  than  the  method  based  on  fragments  of  length  n. 
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Example  (cont.)  Consider  as  an  example  Fig.  9  (i),  which  depicts  part  of  the  abstract 
model  in  Fig.  8  (iv)  and  contains  the  counterexample.  Note  that  there  is  a  loop  that 
enters  the  counterexample  at  s2  and  leaves  it  at  S4.  For  this  car  steering  example  it  can 
be  shown  that  the  fragment  (s2,  S4,  is  spurious,  even  though  neither  of  the  transi¬ 
tions  is  spurious  on  its  own.  This  means  that  validation  and  refinement  of  fragments  of 
length  2  removes  the  counterexample  as  depicted  in  Fig.  9  (ii). 

If  we  consider  the  complete  counterexample  instead,  we  also  find  that  the  coun¬ 
terexample  is  spurious.  But  in  this  case  we  would  also  split  ,s2,  which  introduces  an 
additional  counterexample  that  exploits  the  loop,  as  shown  in  Fig.  9(iii).  In  general, 
whenever  we  split  all  abstract  states  between  the  entry  and  exit  points  of  a  loop,  it  will 
‘open’  the  loop,  and  inevitably  create  an  additional  counterexample. 

There  is  little  choice  if  these  states  have  to  be  split  to  refute  the  counterexample. 
Consider  for  instance  the  first  counterexample  in  Fig.  8  (i).  This  counterexample  can 
only  be  eliminated  by  splitting  .sj.  But  if  it  is  possible  to  refute  a  short  fragment, 
rather  than  a  long  one,  this  should  be  preferred.  If  we  apply  validation  and  refinement 
to  fragments  of  length  2  of  the  counterexample  in  Fig.  8  (iv),  we  are  guaranteed  that 
it  will  not  introduce  new  counterexamples.  If  it  then  succeeds,  we  can  be  sure  that 
the  number  of  counterexamples  decreases.  In  this  particular  case,  refuting  fragment 
(s2,  S4,  Sj)  eliminates  all  other  counterexamples,  as  they  also  include  this  fragment. 

5.5  Experimental  Results 

Experimental  results  for  a  prototype  implementation  of  the  procedure  indicate  its  ad¬ 
vantages  over  existing  methods.  We  apply  the  prototype  first  to  the  car  steering  example 
that  was  discussed  throughout  this  paper.  Then  a  larger  and  more  challenging  example 
on  an  adaptive  cruise  control  system  that  was  put  forward  in  the  MoBIES  project  [22] 
is  discussed. 

5.5.1  Car  Steering  Example 

For  the  car  steering  example  we  take  as  baseline  Infinite-State-Cegar  as  described 
in  Subsection  5.3  with  the  only  successor  operator  succ tight-  We  refer  to  this  method 
as  Infinite-State-Cegar-I.  For  the  car  steering  example  this  method  computes  the 
same  number  of  ~succtight  operations  as  a  breadth-first  application  of  the  successor  op¬ 
erator.  Breadth-first  application  is  the  most  prevalent  method  used  for  model  checking 
hybrid  systems. 

We  compare  this  method  with  two  other  instances  of  Infinite-State-Cegar. 
Infinite-State-Cegar-II  refines  and  validates  complete  counterexamples  using  the 
two  different  methods,  as  described  in  Subsection  5.3.  The  third  instance  INFINITE- 
State-Cegar-III  first  validates  single  transitions  using  succcoarSe ■  Next,  it  considers 
fragments  of  length  2,  using  succcoarse.  Finally,  the  third  validation  and  refinement 
scheme  considers  fragments  of  length  2,  but  uses  succ  tight  for  the  first  transition,  and 
succ coarse  for  the  second.  If  these  three  schemes  fail  to  refute  the  counterexample,  the 
complete  counterexample  is  considered,  using  the  same  routine  as  the  second  instance 
of  Infinite-State-Cegar. 
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For  the  car  steering  example  the  following  results  are  obtained  when  run  on  a  Pen¬ 
tium  4,  1.4GHz.  Infinite-State-Cegar-I  considers  three  counterexamples,  com¬ 
putes  succ tight  five  times,  and  takes  1 17  seconds  to  verify  that  the  car  steering  example 
is  safe.  Infinite-State-Cegar-II  considers  the  same  counterexamples  but  computes 
succ  tight  only  three  times,  and  finishes  in  70  seconds.  Infinite-State-Cegar-III 
considers  only  two  counterexamples,  and  computes  succ  tight  only  once.  Since,  this 
particular  successor  was  easy  to  compute,  the  overall  time  drops  to  10  seconds. 

5.5.2  MoBIES  Adaptive  Cruise  Control  System 

The  model  that  we  use  for  the  adaptive  control  experiments  is  based  on  a  Simulink/ 
Stateflow  model  [23].  The  adaptive  cruise  control  is  part  of  a  vehicle-to-vehicle  coor¬ 
dination  system.  The  part  of  this  system  that  we  consider  comprises  two  modes:  the 
cruise  control  mode  (cc-mode)  in  which  a  car  tries  to  keep  a  constant  speed,  and  an 
adaptive  cruise  control  mode  (acc-mode),  in  which  the  car  tries  to  stay  a  safe  distance 
behind  a  vehicle  ahead  of  it.  The  acc-controller  switches  into  acc-mode  whenever  the 
distance  between  the  car  and  a  vehicle  ahead  falls  below  a  certain  threshold.  This 
threshold  depends  linearly  on  car  speed. 

The  system  also  includes  an  automatic  transmission  system  with  four  gears.  De¬ 
pending  on  the  speed  of  the  car  it  will  switch  between  the  different  gears.  The  hybrid 
automaton  that  models  both  the  acc-controller  and  the  automatic  transmission  has  8 
locations  for  the  normal  operation  and  one  additional  state  that  is  entered  on  collisions, 
when  the  distance  between  the  cars  is  zero.  Obviously,  this  is  the  location  that  should 
not  be  reachable.  The  model  takes  into  account  the  distance  between  two  cars,  their 
relative  velocity  and  the  velocity  of  the  following  car.  The  differential  equations  that 
describe  the  continuous  behavior  are  non-linear,  mainly  due  to  saturation;  for  each  gear 
there  are  upper  and  lower  bounds  on  the  possible  acceleration. 

For  the  adaptive  cruise  control  example  the  hybrid  model  checker  CheckMate[3]  is 
used  as  a  baseline,  since  it  is  possible  for  this  case  study  to  generate  a  CheckMate  model 
that  exhibits  the  exact  same  behavior  as  our  model.  CheckMate  takes  770  seconds  to 
verify  that  the  system  is  safe.  We  compare  this  result  to  our  two  approaches  INFINITE- 
State-Cegar-II  and  Infinite-State-Cegar-III.  Infinite-State-Cegar-II  con¬ 
siders  46  counterexamples,  and  computes  11  times  succ  tight,  in  450  seconds.  The 
resulting  safe  abstraction  has  29  states.  Infinite-State-Cegar-III  only  considers 
10  potential  counterexamples,  computes  succ  tight  just  once,  and  takes  only  39  sec¬ 
onds.  The  resulting  abstraction  has  just  15  states.  Five  of  the  counterexamples  have 
been  refuted  by  considering  single  transitions;  for  example,  when  the  following  car 
is  in  first  gear  and  in  acc-mode,  then  it  cannot  collide  with  the  leading  car.  All  other 
counterexamples  were  refuted  by  considering  segments  of  length  2.  For  example,  one 
such  refuted  counterexample  corresponds  to  the  case  when  the  car  is  in  third  gear  and 
switches  to  acc-mode — this  cannot  lead  to  a  collision. 
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6  Conclusions 


This  paper  presents  a  new  method  for  using  counterexamples  to  refine  abstractions  of 
hybrid  systems.  The  principal  alternative  for  verifying  the  safety  properties  considered 
in  this  paper  is  to  compute  the  reachable  states  for  the  hybrid  system  using  a  breadth- 
first  application  of  the  successor  operator  succ.  It  is  apparent  that  the  INFINITE- State- 
Cegar  procedure  can  be  faster  than  breadth-first  reachability  when  the  safety  property 
does  not  hold  for  the  concrete  system,  since  in  this  case  it  is  possible  for  the  model 
checker  to  quickly  find  a  true  counterexample.  On  the  other  hand,  if  the  safety  prop¬ 
erty  holds,  refuting  one  counterexample  may  implicitly  refute  others.  However,  the 
Infinite-State-Cegar  procedure  continues  until  all  possible  counterexamples  have 
been  explored  (and  indeed,  may  not  terminate),  which  is  in  some  cases  equivalent 
to  the  breadth-first  reachability  computation.  Nevertheless,  we  have  shown  here  that 
Infinite-State-Cegar  offers  the  possibility  of  using  multiple  methods  for  comput¬ 
ing  approximations  to  the  successor  states. 
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Appendix 


Proof  of  Lemma  1 . 

Proof.  By  contradiction:  If  C  ^  AG-/i,  then  at  least  one  path  a  =  (so,  Si, . . .  .  h) 
with  b  £  B  must  exist  for  C.  From  Defn.  2,  it  follows  that  the  corresponding  abstract 
counterexample  a  =  (so,  si, . . .  ,  b)  of  A  is  a  counterexample  which  contradicts  the 
premise  A  |=  AG ~^B.  ■ 

Proof  of  Lemma  2. 

Proof,  (i)  A  A  A' .  It  follows  straightforwardly  that  A  is  an  abstract  model  of  A'  with 
abstraction  function  a"  as  defined  in  Defn.  6. 

(ii)  A'  A  C.  From  the  above  definitions  of  A!  =  (S',  S'0,  E')  and  a’,  it  follows  that  A! 
would  be  an  abstract  model  of  C,  if  E'  also  included  the  transition  (si,  s%>mp).  How¬ 
ever,  since  ,S'|'eac,,  and  5,2°mp  are  disjoint,  this  abstract  transition  does  not  correspond 
to  any  concrete  transition  and  can  therefore  be  omitted.  ■ 

Proof  of  Lemma  3. 

Proof,  (i)  AAA'.  The  corresponding  abstraction  function  is  the  identity.  Since  A 
has  just  an  additional  transition  it  is  an  abstract  model  of  A' . 

(ii)  A'  A  C.  The  abstraction  function  for  this  abstraction  is  a.  We  can  then  omit  the 
abstract  transition  (si,  ,§2),  since  it  does  not  correspond  to  any  concrete  transition.  ■ 

Proof  of  Lemma  4. 

Proof,  (i)  If  the  algorithm  terminates  with  “B  reachable”,  then  the  set  of  reachable 
states  in  the  concrete  model  is  non-empty  along  the  path  of  the  last  checked  counterex¬ 
ample.  Formally,  S^each  ^  0,  k  =  0, . . .  ,  m  due  to  the  conditions  in  the  IF  statement 
(S£each  nB/0)  and  the  WHILE  statement  (S£each  ±  0  AND  k  <  m). 

We  can  now  show  that  the  last  checked  counterexample  in  the  algorithm  is  not 
spurious.  To  do  so,  we  first  show  that  for  each  k ,  all  sk  £  Skeach  can  be  reached  by 
paths  in  the  concrete  model.  The  proof  is  done  by  induction  on  k.  For  k  =  0,  each 
s0  £  SQeach  can  be  reached  by  a  path  of  length  zero.  For  k  >  0,  for  each  sk  £  5'™ach 
there  exists  an  sk- 1  £  such  that  (sk-i,Sk)  £  E  (by  definition  of  the  succ 

operator).  By  induction,  Sfc_i  is  reachable  by  some  concrete  path  (so, . . .  ,  Sfc_i), 
hence  sk  is  reachable  via  the  concrete  path  (so,  ■  ■  ■  ,  sk). 

Since  for  each  k,  all  sk  £  Skeach  can  be  reached  by  paths  in  the  concrete  model, 
there  are  paths  (so,  Si, . . .  ,  sm)  with  sm  £  S™ach  IT  B.  Each  such  path  corresponds  to 
a  counterexample  in  the  concrete  model.  Thus,  C  |=  AG- B. 

(ii)  If  the  algorithm  terminates  with  “B  not  reachable”,  then  it  was  not  possible  to  find 
any  counterexample  for  the  current  abstract  model  A.  But  since  A  is  in  each  step  an 
abstraction  of  C  we  can  conclude  by  Lemma  1  that  C  \=  AQ-B  holds.  ■ 

Proof  of  Lemma  5. 

Proof.  The  proof  follows  the  same  lines  as  the  corresponding  case  of  Lemma  4  and  is 
therefore  omitted. 


24 


Proof  of  Lemma  6. 

Proof.  We  show  that  a  as  defined  in  Defn.  1 1  is  an  abstraction  function.  The  first 
condition  in  Defn.  2  follows  directly  from  the  definition  of  a.  To  show  the  second 
condition,  it  must  be  proved  that 

E  =  {(si,  Sj)\(zi,  zj)  €  T}  U  {(s^SjOIOo,^)  €  T}  U  {(«*,  So)|(^,  ^o)  £T}3 
{(■Si,Sj)|  3si,Sj  £  S  :  (si,Sj)  £  E,§i  =  a(si),§j  =  cr ( s j ) } - 

Assume  ( Si,Sj )  £  E,  and  s,;  =  ( Zi,Xi )  and  Sj  =  ( Zj,Xj )  with  Xi,Xj  £  X  and 

i.  j  ^  0.  Then,  it  follows  from  the  definition  of  E  in  Defn.  9  that  (zi,  Zj)  £  T.  Thus, 
Sj)  £  E.  The  other  cases  (i  =  0  or  j  =  0)  can  be  shown  in  a  similar  way.  ■ 
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